Yeah, I'm hanging on with GrapheneOS (on a Pixel) until their native-hardware (Motorola) phones come out, which hopefully will solve this. As I understand it, third-party (banks and so forth) app vendors have to accept their security attestation, which they don't right now, but (I hope) will with Motorola behind them.
replyGraphene is NOT a jailbroken/rooted OS, its a real secure unrooted, bootloader locked OS, and MS Authenticotor works just fine.
If anything does not work its related to dependency of the App maker on a certain attestation google play services grapheneos.org/articles/attestation-compatibility-guide
replyRoot =/= insecure. You probably have administrator access on your home computer operating system, and can very likely do online banking via the web browser with no issues. A secure API is possible regardless of the host metal, operating system, or user permissions.
replyDo you refer to app-accessible root or user root access? The former is absolutely inherently insecure and compromises the security model of Android/GOS.
replyRoot on computers is insecure. Malware can steal secrets from other applications. We're just used to it, but the Android security model is much better.
replyBingo!
replyCompliance =!= Security
This does not play a role - even if you lock your bootloader Play Integrity Checks still fails, and that means you can't use certain apps, MDM and overall restricts your usage. Thank Google for that.
replySounds like your work has been using your personal phone for free
replyI hate how common it's become for companies to force you to install things on your personal phone. Even worse is some of them demand you install a MDM profile on your personal phone which feels 1000% over the line of reasonable.
replyI've just refused to install such things on my phone.
replyYou want me to have email and teams/slack on my phone? Sorry, I won't install the spyware. Want to pay for me to have a second phone with it? Okay. No? Well then, I just won't have email on my phone.
Sure if you are in a strong stable position in life you can do that. The average person doesn’t want to rock the boat and cause troubles in their life so they install the invasive mdm profile.
replyIt needs to be made illegal imo. The company should provide you a device if you need one for the job.
My company MDM doesn't consider GrapheneOS good enough to give me access to email/calendar - impasse?
reply"I would love to, but I do not have a compatible phone. I cannot afford it."
replySpyware aside - I think about data breaches, even if my phone is "secure/compliant".
replyScenario: Your account gets compromised somehow. It's signed in to your personal phone. Company data gets leaked or ransomed.
Your phone and its contents are now evidence.
Microsoft Authenticator works on my GrapheneOS (not rooted).
replyFrom the linked article it seems this is related to Entra accounts which are Azure cloud related.
replyGoogle Authenticator works?
replyI think Google authenticator implements the standard OTP which lots of apps (including keepass) should support.
Microsoft uses their own propietary crap
replyYou can try to add the standard OTP even for Microsoft crap. If it asks you to register for mfa and opens the screen that says something about downloading the Microsoft authenticator app there is a small link at the bottom, letting you use another app. Then you get a qr code that you can scan with any other auth app.
replyI use a basic OTP password instead of Microsoft's ironically less secure (see SMS as 2FA) with my work MS account. Perhaps your org disabled it but it is definitely something a Microsoft account can do.
replyProper Microsoft authenticator setup is more secure than OTP because it's pushed based and doesn't allow users to copy paste their OTP codes into phishing sites. Google also prefer push based MFA for this reason.
reply[dead]
reply